Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


protect brute force attack mod security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

protect brute force attack mod security

mrbombommrbombom Member
edited August 2016 in Help

The login service of my application is attacked by being brute login and password enumerating. I want to use Apache mod_security to stop these attempts but the rule I put in place is not successful:

Initalize IP collection with user's IP address

SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"

Detect failed login attempts

SecRule RESPONSE_BODY "password is invalid|username is invalid" "phase:4,pass,setvar:ip.failed_logins=+1,expirevar:ip.failed_logins=60"

Block subsequent login attempts

SecRule IP:FAILED_LOGINS "@gt 3" deny

When testing with POSTrequests I still get the response "password & username is invalid".

How can the rules above be changed to stop repeated attempts to login?

Comments

  • @mrbombom said:
    I want to use Apache mod_security to stop these attempts

    Why? It makes very little sense to address abuse at the service level. If a network is attacking you via HTTP, there's no reason to expect it won't also come after you via SMTP or SSH or anything else. Just drop them into the firewall. If you want to automate it based on some rules, use something like fail2ban.

  • justvmjustvm Member, Patron Provider
    edited August 2016

    can use also csf/lfd

  • mrbombommrbombom Member
    edited August 2016

    @vpsrus:
    No , I just want to limit the login link to avoid scanning pass. With CSF / LFD it is only effective against DDoS attacks.

    @impossiblystupid:
    I'm trying to rely on password or username hallmark wrong more than 3 times will lock in 15 min. Even IP

  • Why don't you give mod_qos a go? What version of Apache are you using?

  • GigsGigsGigsGigs Member, Host Rep

    you wan to protect your people login to your website , and fail too many attempt ? If yes then you have to configure in your software level, not Mod_Security .

    Mod_Security is more on functions as "Web Application Firewall", to protect your website from being malicious attack. You need to have certain knowledge to mange the rules, leaving the default rules may cause to over sensitive (some genuine user not able to access to your website) or too less sensitive . However there is also some commercial rules avail for you to subscribe.

    For System layer brute force, normally is via Firewall, or Linux IPTables , like CSF, APF etc .

    For WebApplication, you need some programming in your application to trigger blocking to firewall or iptables If there is no trigger from your software, nobody know is fail login

  • mrbombommrbombom Member
    edited August 2016

    GigsGigs said: you wan to protect your people login to your website , and fail too many attempt ? If yes then you have to configure in your software level, not Mod_Security .

    Mod_Security is more on functions as "Web Application Firewall", to protect your website from being malicious attack. You need to have certain knowledge to mange the rules, leaving the default rules may cause to over sensitive (some genuine user not able to access to your website) or too less sensitive . However there is also some commercial rules avail for you to subscribe.

    For System layer brute force, normally is via Firewall, or Linux IPTables , like CSF, APF etc .

    For WebApplication, you need some programming in your application to trigger blocking to firewall or iptables If there is no trigger from your software, nobody know is fail login

    I want login to fail 3 times , will block IP 15 min , I just want to prevent only by external login already have a firewall

  • So why not Fail2Ban?

    Thanked by 1netomx
  • @mrbombom said:
    I want login to fail 3 times , will block IP 15 min , I just want to prevent only by external login already have a firewall

    As others have said, fail2ban is what you want. It monitors the application but blocks at the firewall. It's very configurable and just works. Plus since it blocks at the firewall, you're saving resources as the blocked attacker never hits your web server application, PHP interpreter, etc.

  • century1stopcentury1stop Member
    edited August 2016

    why not just code in your application? ie with PHP you can allow N login attempts for specific IP
    EDIT: googled and found this

    Append in your http.conf modsec user rules 
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
    
    # Setup brute force detection.
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
    # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
     

    just customize bf.counter in last 2 lines to your desired variables

  • mrbombommrbombom Member
    edited August 2016

    I can not interfere in php so I want to use this mod to work security

    century1stop said: why not just code in your application? ie with PHP you can allow N login attempts for specific IP

    EDIT: googled and found this

    Append in your http.conf modsec user rules

    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134

    Setup brute force detection.

    React if block flag has been set.

    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"

    Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.

    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"

    just customize bf.counter in last 2 lines to your desired variables

    I understand this, I will research to find other solutions to more efficient, very grateful to everyone for me the boy replied

  • JustAMacUser said: As others have said, fail2ban is what you want. It monitors the application but blocks at the firewall. It's very configurable and just works. Plus since it blocks at the firewall, you're saving resources as the blocked attacker never hits your web server application, PHP interpreter, etc.

    >

    I understand this, I will research to find other solutions to more efficient, very grateful to everyone for me the boy replied

Sign In or Register to comment.